Your Cloud, Your Rules: Ververica's Bring Your Own Cloud Deployment
Due to security requirements, I have to pass the credentials to Ververica Platform via mounted files (e.g., when retrieving credentials from Hashicorp Vault) rather than the Kubernetes Secrets or plaintext in values.yaml
. How do I achieve that? Is there any way to load credentials from mounted files in the Ververica Platform pod?
Note: This section applies to the Ververica Platform 2.5 or later.
This article describes the ways to provide the following credentials via mounted files. The credentials are categorized into two groups as they need to be treated differently:
Note: to integrate Hashicorp Vault with Ververica Platform and load credentials in the Flink jobs running on Ververica Platform, please refer to this link.
$ cat ./creds-vault.yaml
spring:
datasource:
password: admin123
vvp:
auth:
oidc:
registration:
client-id: victor-test
client-secret: 7wjuJmRNQEC903WuncsdKsrbo8ND528q
bootstrapToken:
token: My_Bstoken
$ cat ./s3.accessKeyId
admin
$ cat ./s3.secretAccessKey
password
Getting credentials and mounting them into the Ververica Platform pod depends on where your credentials are stored. When mounting them, please follow the following guides:
Mount the creds-vault.yaml into the appmanager
container and the gateway
container in the Ververica Platform pod under the path /conf/common-creds/
.
Important: the mounted path and file name can be changed but should not be any existing Ververica Platform directory.
Mount the two files (s3.accessKeyId and s3.secretAccessKey) into the appmanager
container and the gateway
container in the Ververica Platform pod under the path /conf/blob-creds/
.
Important: the mounted directory can be changed, but the two filenames must be exactly the same as the ones used here.
Add the creds-vault.yaml
path to the "spring.config.additional-location" in values.yaml
: (file:/vvp/etc/
, the default path, must be included)
env:
- name: "spring.config.additional-location"
value: "file:/conf/common-creds/creds-vault.yaml,file:/vvp/etc/"
Important: remember to keep the last /
in file:/vvp/etc/
, as it has to be a directory.
Set the environment variable "vvp.blob-storage.credentials-dir" to the mounted directory in values.yaml
:
env:
- name: "vvp.blob-storage.credentials-dir"
value: "/conf/blob-creds/"
Now you can use values.yaml
to set up your Ververica Platform. It will get those credentials from those mounted files.